search

semuxproject / semux-core

Semux Core
https://www.semux.org
MIT License
76 stars 31 forks source link

API: enhance the service grouping #273

Closed semuxgo closed 5 years ago

semuxgo commented 5 years ago

Description

This PR introduces the concept of public and private services, to partially resolve #271.

Test Plan

Existing unit tests

Related issues and/or PRs

271

witoldsz commented 5 years ago

So, the concept here does not cover the case where I would like to use my node as a public Semux API node and still be able to access wallet API, is that right? If so, that means the public Semux nodes are, in practice, not accessible for owners (no GUI, no API).

semuxgo commented 5 years ago

I think you can do both now. The private APIs (wallet) are enabled and protected by basic auth, while the public APIs are just open to public, without basic auth.

witoldsz commented 5 years ago

OK, but I would feel uncomfortable exposing everything and having just the auth as the final shield from accessing my wallet. Of course I could set up some extended matching rules, not to allow certain endpoints to go through (black/white listed in reverse proxy service), but it complicates the deployment.

Last, but not least, when exposing public API I would like the swagger definition to be trimmed down to only what's available. See the https://api.semux.online. You won't find wallet endpoints there or the authentication schemes definition. And I can still see and use full version when bypassing the proxy.

honeycrypto commented 5 years ago

+1 for the dynamic swagger page, but what will be the best implementation for this? Desktop users want to see all available endpoints, even the protected ones (because they are on localhost). While public API providers want to show only public endpoints in swagger UI. Another config option api.showPrivateInSwaggerUI = true?

2) I think we should encourage users do not ever use wallets with public API as their personal wallets. If there is a bug or whatever, they can lose their funds. If the wallet has always 0 balance, it's not that critical if someone once will get a chance to access private API.

3) We can provide a documentation how to setup a public api node from scratch, including some kind of nginx.conf with the blacklisted private endpoints, instruction on getting let's encrypt certificates and other requited steps.

TL;DR: i'm ok with exposing to internet password protected endpoints. Dynamic Swagger UI is good to have to minimise required configs to proxy/firewall and certificates.

semuxgo commented 5 years ago

Dynamic swagger generation would require extra engineering work. Will consider this in another PR.

Displaying all APIs (even though some of them are inaccessible) won't necessarily be a bad thing. I personally use https://api.semux.online not only for calling these endpoints but also for reading the API specification.